On July 6, 2026, the Saudi Electricity Company (SEC) introduced a new technical requirement for digital substations used in NEOM Phase II: suppliers must meet IEC 62443-3-3 Level 2 certification, and penetration testing must be carried out by SGS Riyadh or TUV Rheinland Jeddah. Because the requirement also applies to pending tenders from July 1, this is not just a specification update; it directly affects bidding readiness, certification planning, testing arrangements, and delivery coordination for companies involved in grid equipment supply and related compliance work.

According to the provided event summary, SEC released Technical Specification SEC-TS-DS-2026-07 on July 6. The specification requires all digital substations deployed in NEOM Phase II to achieve IEC 62443-3-3 Level 2 certification. It also makes penetration testing mandatory and limits that testing to SGS Riyadh or TUV Rheinland Jeddah. The requirement applies retroactively to all pending tenders as of July 1.
From an industry perspective, companies participating in pending tenders may be affected first because the rule reaches back to bids that were not yet finalized as of July 1. The practical issue is not only whether a product can be supplied, but whether the supplier can demonstrate alignment with the newly stated certification and testing path in time for tender review, clarification, or resubmission processes.
Analysis shows that manufacturers and system integrators involved in digital substations may need to review whether their technical files, certification status, and cybersecurity testing materials match the new specification language. The impact is likely to appear in specification alignment, document preparation, and handover readiness rather than only in hardware delivery.
What deserves closer attention is that penetration testing is not described as optional or open-ended. Because the summary names SGS Riyadh and TUV Rheinland Jeddah for mandatory testing, suppliers and project teams may need to treat testing access, scheduling, report timing, and certification sequencing as part of procurement and delivery planning. For service providers supporting compliance, this also raises the importance of document completeness and testing coordination.
Companies with pending tenders should first examine whether their submissions fall within the July 1 retroactive scope described in the summary. The key point is to identify where bid documents, technical responses, or qualification materials may now need updating to reflect IEC 62443-3-3 Level 2 and the specified penetration testing route.
Observably, the certification requirement is framed as a deployment condition for digital substations in NEOM Phase II. Firms should therefore check whether existing certification materials are already aligned, partially aligned, or not yet aligned with IEC 62443-3-3 Level 2, and whether any compliance gaps could affect tender responsiveness or delivery commitments.
From a practical standpoint, suppliers may need to pay closer attention to the completeness of technical documentation, penetration testing records, and related compliance files. The provided information does not describe the full document package or acceptance format, so companies should treat this as an area requiring continued monitoring rather than assume a settled execution standard.
Analysis shows that the next operational signal will likely come from how the new specification is reflected in tender texts, qualification wording, and compliance verification steps. Since the input does not provide detailed implementation procedures, companies should focus on whether later procurement documents clarify deadlines, evidence requirements, or review methods.
As an editorial observation, this development is more appropriate to understand as an execution-level compliance signal tied to procurement and project delivery, not merely a broad cybersecurity policy message. Two elements support that reading: the requirement is attached to a named technical specification, and it includes both a defined certification level and designated testing bodies. At the same time, the available information does not yet show the full enforcement mechanics, so market participants still need to watch how the requirement is applied in practice.
At this stage, the event should be read as a concrete tightening of bid and delivery conditions for NEOM Phase II digital substations. It does not by itself confirm broader market outcomes beyond the scope stated in the summary, but it clearly raises the compliance threshold for affected suppliers. A neutral reading is that the rule has already moved beyond discussion and into project-facing requirements, while several execution details still require close observation.
This article is based on the user-provided news title, event date, and event summary. For developments of this kind, commonly relevant source types may include official announcements, regulatory or utility publications, standard-related documents, procurement notices, certification body communications, and reporting by authoritative industry media. No specific official source link was provided in the input, so the underlying publication link and any subsequent official clarifications still need to be verified. Continued attention should be paid to implementation detail, certification interpretation, tender document updates, and market feedback from affected companies.
Related News